Ben Laurie blathering

23 Jul 2015

Disclaimer: I have almost no experience cooking Vietnamese, this is just a distillation of various recipes I’ve only read.

Lamb steak (or other meat: just did this with rib-eye steak, was delicious)
Onion
Sugar
Garlic
Crushed chilli (or other form of chilli)
Vinegar
Soy sauce
Fish sauce

First cook the lamb (or other) steak until browned outside but rare inside. Set aside and slice into thin slices during the remaining cooking.

Slice onions then fry gently in oil until transparent. Add sugar (quite a lot – for two I use a couple of tablespoons at least), garlic, chilli and fry until the sugar is lightly caramelised. Throw in equal parts of vinegar, soy and fish sauce (roughly speaking, you want a little more total liquid than you had sugar), stir in and bring to the boil. Cook until slightly thickened. Add the sliced meat and stir-fry until cooked to your liking.

Serve with boiled rice and something green.

Comments Off on Vietnamese Style Sweet and Sour Lamb

14 May 2015

Sous vide the duck breasts with a bit of honey and salt at around 56C for about an hour to 90 minutes (sorry, but sous vide really is the path to tender duck breasts – if you can’t sous vide, then cook them however you like, to rare or medium rare). Let them cool down a little, then fry for a few minutes on each side to brown (if you’ve done the sous vide thing).

Let them rest for 5-10 minutes, slice into 1/4″ slices.

Thinly slice the fennel.

Peel the orange and break the segments into two or three chunks each.

Quickly stirfry the duck breasts for just a short while – 30 seconds or so. Add soy and honey. Throw in the orange chunks and sliced fennel and stirfry until the fennel has wilted slightly and the orange is warm (and the duck is still somewhat rare, so start with pretty rare duck!).

And then you’re done.

I suspect this would be improved with some sesame seeds stirfried just before the duck breasts, but I haven’t tried it yet.

8 Sep 2014

I’ve recently started experimenting with smoking. First experiment was lamb bacon, but that’s going to take some refining – it was good, but I’m sure it could be better. Recipe once refined.

Todays’ was smoked duck breasts.

Marinade the duck breasts for 2 days in red wine, sugar, salt, pepper and chinese five spice. Smoke (I use a ProQ Frontier) with apple wood (half a smoking box full) and lapsang souchong tea (contents of four teabags) at 125C for 3-4 hours.

Fry the onions in the ghee. Add ginger and ground spices and fry for a minute more, then add the diced lamb and brown. Add the raisins, banana (sliced), dried apricot (roughly chopped) and lemon (cut into eighths, including skin) and some yoghurt. Cook on a medium heat until the yoghurt begins to dry out, then add some more. Repeat a couple of times (I used most of a 500ml tub of greek yoghurt). Salt to taste. Eat. The lemon is surprisingly edible.

I served it with saffron rice and dal with aubergines.

Comments Off on Fruity Lamb Curry

31 Jan 2014

Dice the bacon, fry in the oil ’til slightly browned. Add sliced onion and fry until sweet. Add chicken stock and frozen peas (you want a pretty high pea-to-stock ratio), boil for a few minutes. Blitz to a pretty smooth puree (longer than you think, the peas’ outer coatings are quite chewy). Season (I didn’t need salt). Serve with a dollop of sour cream in the middle.

The whole thing only takes about 15 minutes, if that.

I’m sure it’d be great with fresh peas, too. Perhaps even better. Obviously you’ll need to boil it for longer.

Comments Off on Pea Soup

24 Jan 2014

Dry fry the Cs (all curries are mostly made with spices that start with C … seriously), then grind them. In the meantime, or after, fry thinly sliced onions + ginger in olive oil. Once they’re slightly browned, add the spices (including garam masala) and some butter. Fry/stir for a little longer (maybe a couple of minutes). Add the diced parsnips and coat them, then add milk and chicken stock (1:2 ratio) to cover. Boil for about 30 mins, til the parsnips are somewhat soft, then blitz. You probably need some salt, too.

That gives a basic recipe. I added sliced grilled sausages.

I think shredded roast duck legs would also go well, but I haven’t tried yet.

Chilli, either fresh (which would look nice added at the end) or ground, would be good, too, but not necessary.

Comments Off on Parsnip Soup

4 Jan 2014

These days, I spend a fair amount of time trying to dream up low calorie dishes (no, I am not on a low calorie diet). Today I tried a new one and an old favourite, combined. Probably about 250 calories a head, given enough to fill a plate. Calculate your own calories if you care.

Anyway, the bhuna:

Fish (I wanted to use cod, but all I had was salmon)
Onion
Tinned tomato
Ginger
Garlic
Cumin
Coriander
Chilli
Cloves
Ghee
Salt

My fish had skin on, so first I fried the skin side to crisp it, then set aside. Fry thinly sliced onions in a small amount of ghee (or if you really are counting your calories, spray some oil) until sweet. Add crushed garlic, diced ginger and ground cumin, coriander, chilli and cloves. Cook them for a minute or two then add the tinned tomatoes and some salt, mash them up, cover and simmer for a while (say 15 minutes) stirring occasionally. Add water if needed to stop it drying out. After 15 minutes put the fish on top, re-cover and let it steam (or bury it in the sauce if you prefer). Leave that going for 10 minutes or so while you cook the cauliflower…

Cut the cauliflower up into florets. Fry the ginger, mustard and onion seeds in a little ghee (or a spray of oil), stirring, until the mustard seeds start to pop pretty vigorously. Add the cauliflower (I actually had some broccoli which I added too) and stir fry for a minute or so, then add a splash of water, which will, of course, fairly quickly boil off. Keep adding water a little at a time, stir frying, until the cauliflower is cooked to your liking (al dente is good!). Add salt and lemon juice (go easy, I used half a lemon for two people generously served). Stir once and serve.

If you don’t care about calories, saffron rice would go well with this. We had a spoonful of yoghurt each, which went well.

Comments Off on Salmon Bhuna and Dry Cauliflower Curry

21 Nov 2013

Apparently, it’s a thing. I made some to go with roast pork. It was nice. We had it again tonight with fried salmon, green veg with cream and saffron, and pasta. It was nice again. So, here’s the vague recipe…

The pickling juice is cider vinegar, water and sugar in a 5:5:1 ratio. For three apples (sliced into big but thin chunks), I used 400 ml each of vinegar and water, and (obviously) 80g of sugar. I added black peppercorns, coriander seed, cloves and star anise. Probably I could’ve used less liquid or more apple.

It was pretty nice with the pork after 2-3 hours. Even nicer with the salmon a day later.

That is all.

Comments Off on Pickled Apple

20 Jul 2013

A friend brought me okra, which is hard to find in Wales (let me know if you know different!) and I invented this dish to go with the chicken curry I was cooking. By special request I am going to try to guess quantities, but feel free to ignore them.

Thinly slice the onion and fry it in the ghee until sweet. Add the thinly sliced ginger (I like to keep the ginger in slices rather than dicing it, but you could also dice) and the chilli flakes (or finely diced fresh chilli), mustard, onion and fennel seeds. Fry for a minute or so. Add the top-and-tailed-and-made-uniform-sizes okra and fry for a while, occasionally adding a little water so it cooks (let the water boil dry before adding more). When the okra is tender, add the vinegar and sugar, making sure the sugar dissolves and the vinegar boils. You can serve it any time from now, but I think it should at least be warm. You are supposed to eat the ginger, not pick it out.

BTW, all frying is actually stir-frying. The whole thing should only take 10 minutes or so.

Comments Off on Quick Okra Pickle

11 Jun 2013

For almost all of my life, I have hated rice pudding. But recently my wife made some (up to now, I’ve only seen her eat it from a tin – disgusting stuff). And it was awesome. So now I keep making rice pudding.

I recently had occasion to cook it for a lot of people. Here’s the recipe.

24 Jan 2013

They are a way to allow people to use the things they are allowed to use and not the things they are not allowed to use by giving them a key for each thing they are allowed to use. Every thing has its own key. If you are shown a key you can make another key for the same thing. Keys should be very, very, very hard to guess.

For capability purists: yes, I am describing network capabilities.

Comments Off on Up-Goer 5 Capabilities

10 Jan 2013

The sea bass part of this is really easy: fry sea bass fillets in extra virgin olive oil and some sea salt for about 5 minutes skin side down, which makes it lovely and crispy, then turn over for about 30 seconds to cook it through. Obviously you do this at the end.

Dal is a more moveable feast – I used a mix of toor dal (oily, as it happens, but plain would be fine), white urad dal and red lentils – these all cook relatively quickly and end up quite soft. Fry onions in ghee, add ground cumin, coriander, fennel, fenugreek, dried red chili, star anise (I know this is non standard, but it is great in dal) and whole mustard seeds. You can play with this mix infinitely, but that’s what I used tonight. Fry the washed dal briefly in the onion/spice mix and then add water. Boil hard for about 30 mins, stirring occasionally, adding water as needed (a quite wet outcome is perfectly ok) until the dal is soft but still retains a little identity. Towards the end add chicken stock and salt.

I also did cardamom rice (take whole cardamom, beat up somewhat in a pestle and mortar and chuck into the rice/water mix at the beginning – cook the rice however you cook rice). The whole combo was lovely – crispy sea bass contrasted nicely with the soft, spicy dal, and the rice gave that slight citric edge.

Comments Off on Sea Bass and Dal

25 Nov 2012

People want to design protocols where replay attacks are prevented. To prevent replay attacks, you have to keep track of what’s already been said. But you don’t want to do this forever, so the smart thing to do is include time in the protocol. That is, the message is accepted if both the timestamp is recent and the nonce (or whatever) has not previously been used. This means that the server can discard nonces after a while and not worry about allowing replays of very old packets.

But then the problem is that clients don’t have the right time.

And so people jump through hoops to take account of this fact – extra round trips, time offsets, all sorts of nonsense.

Can we stop dancing around the problem and just fix the damn client’s clock? If the user wants the clock set wrong, fine – all we need is a correct clock for protocols. The machine can continue to show the user whatever wrong time he wants to see.

So how do we get this correct clock? Well, that doesn’t seem hard – we have NTP already, and it works pretty well. If we have mutually distrusting parties that don’t want to rely on each other’s clocks, then it doesn’t seem hard to have clocks with signatures (NTP already supports this) so each distrusting group can nominate its trusted time servers and multiple clocks can be maintained for them.

This seems like an entirely soluble problem, yet every time I review a protocol that needs it, it is thrown up as completely insoluble. It really seems like it’s time to bite that bullet – it’s not even hard (a rubber bullet?)!

Note: this does not solve any problems to do with untrusted clients. You still need to design your protocols to resist clients that want to mess with you. But at least you could stop worrying about time skew.

If you Google for that, maybe you’ll now find this article, but as I write, you get a lot of hits on people with this problem, and a paucity of useful advice. So, here’s how I fixed it…

First off, the core problem is ant needs BSF (the Bean Scripting Framework) in order to run scripts at all, and also Rhino, in order to run Javascript. And to complicate matters further, BSF needs Jakarta Commons Logging. It turns out you can get these in various ways, some of which I’ve tested. In particular, you can generally download zips of jars (and other junk) from the projects’ sites (generally described as binaries, for some reason), or you might be able to install packages or ports. In practice I got BSF from its own site, logging by installing a port, and I tried Rhino both ways. So, once you’ve got the relevant jars, the next bit of magic is to let Ant know about them.

You can either install them in Ant’s library directory, wherever that is, or name them in a -lib argument on the command line. Like this:

And Robert, as they say, is a close relative. Update: putting them on the classpath does work, so long as you remember the classpath is separated by colons and not semicolons. On some platforms. However, this does not make jrunscript work.

So, this solved my immediate problem, but I’m now really curious to know how jrunscript can be made to understand JS. Coz right now, despite having all the stuff I need to make Ant do it, I get

4 Oct 2012

Cryptographers are excited because NIST have announced the selection of SHA-3. There are various reasons to like SHA-3, perhaps most importantly because it uses a different design from its predecessors, so attacks that work against them are unlikely to work against it.

But if I were paranoid, there’d be something else I’d be thinking about: SHA-3 is particularly fast in hardware. So what’s bad about that? Well, in practice, on most platforms, this is not actually particularly useful: it is quite expensive to get data out of your CPU and into special-purpose hardware – so expensive that hardware offload of hashing is completely unheard of. In fact, even more expensive crypto is hardly worth offloading, which is why specialist crypto hardware manufacturers tend to concentrate on the lucrative HSM market, rather than on accelerators, these days.

So, who benefits from high speed hardware? In practice, it mostly seems to be attackers – for example, if I want to crack a large number of hashed passwords, then it is useful to build special hardware to do so.

It is notable, at least to the paranoid, that the other recent crypto competition by NIST, AES, was also hardware friendly – but again, in a way useful mostly to attackers. In particular, AES is very fast to key – this is a property that is almost completely useless for defence, but, once more, great if you have some encrypted stuff that you are hoping to crack.

The interesting thing, to me at least, is that, in retrospect, this is completely obvious. In cryptography, we have standards that we hold encryption algorithms to, and one of these is semantic security. In short, this means that an attacker should learn nothing (other than length[1]) about a plaintext, given its ciphertext. One way this is often phrased is as a game: given two plaintexts of equal lengths, and one ciphertext made from one of the two plaintexts, then an attacker, who knows everything about the algorithm other than the key, should not be able to guess better than chance which of the two plaintexts was used.

It is obvious that, in general, if compression is used, this game can only go the attacker’s way: the length of the ciphertext must reveal something about the content of the plaintext. This is because, in general, not all texts can compress – indeed, if some plaintexts come out shorter, there must also be some that come out longer. So, since the attacker knows what compression algorithm is in use, he can tell which of the two plaintexts was used by the length of the ciphertext, in general (note that there may be pairs of plaintexts for which this is not true, but in general, there are pairs where the lengths are different). And thus he wins the game, which shows that compression simply cannot be used in a system giving semantic security[2].

And we expect TLS to give semantic security, just like all modern crypto. So, it should’ve been obvious from the start that compression was a non-runner. Why did we not realise? I think the answer to that question would be very interesting indeed. Also, what else do we do now that obviously violates semantic security?

[1] Sometimes even academics admit to real world constraints!

[2] Pedants might argue that actually, yes, you can use compression: just pad everything to the longest a plaintext could compress to. As I’ve noted above, if the compression works at all (that is, some texts are reduced in length), then some texts must actually expand. Which means that you must pad to longer than the original length. So, yeah, pedant, you can use compression, but only if it actually expands!

11 Sep 2012

In line with Certificate Transparency (note, updated version, 2.1a), we’ve been thinking about how to do something similar for revocation. Not because we have any particular plan but because as soon as we mention CT, people always say “what about revocation?”. Which is, admittedly, in a bit of a pickle, and it isn’t at all obvious how to fix it. But however its fixed, we think its a good idea to have transparency – for everyone to be assured that they are seeing revocation state that is the same as everyone else is seeing, and for revocations to be auditable – just as we think certificate issuance should be.

So, we’re quite excited that recently we came up with not one, but two, mechanisms. One of them (Sparse Merkle Trees) even appears to be novel. There’s a brief write-up here.

Also, it turns out, Sparse Merkle Trees can be used to solve a problem that has been bugging me with Sovereign Keys since day one. The issue is that in SK the relying party needs to trust mirrors to tell it what the current status of any particular domain is (i.e. what the current key is), because the only other way to be sure is to download the entire database, which will be many gigabytes long. Using Sparse Merkle Trees plus a CT-like append-only log (as described in the RT document), this is no longer the case. Instead, we can generate a sparse tree containing leaves corresponding to the hashes of domain names. The value stored at the leaf is the domain’s current key (or whatever we want to store there). The sparse tree allows us to verify efficiently that we are, indeed, seeing the latest version, and the append-only log prevents abuse of the change mechanism to make temporary changes shown only to a subset of relying parties.

23 Aug 2012

When I talk to people about what I’m doing, I usually mention the DigiNotar fiasco. I’m often surprised by how many people remember it, especially those not involved in security – and often not particularly technical.

DigiNotar, of course, no longer exists as a result of this incident. But who remembers VASCO, the company that owned DigiNotar? No-one, as far as I can tell. Apparently they suffer not at all from their incompetence.

VASCO expects the impact of the breach of DigiNotar’s SSL and EVSSL business to be minimal. Through the first six months of 2011, revenue from the SSL and EVSSL business was less than Euro 100,000. VASCO does not expect that the DigiNotar security incident will have a significant impact on the company’s future revenue or business plans.

14 Aug 2012

There’s been a lot of heat about Cryptocat lately. But not much light. In summary, one side says you can’t trust software you download from the ‘net to not reveal all your secrets, and the other side says that’s all we got, so suck it up. So, how do we fix this problem?

First off, lets take a look at the core of the problem: if you download something from the ‘net, how can you be sure what you got is what was advertised? One of the much-lauded benefits of open source is that it can be reviewed – experts can take a look and see whether it really does what it says. So, that deals with half the problem. But how do we know we got what the experts reviewed?

I propose that the answer is publicly verifiable logs. The idea is that anyone can operate a log of “stuff” that can be verified by anyone else. What do I mean by “verified”? I mean that if two people see the log, they can mutually check that they saw the same thing. Of course, this is trivial if you are prepared to send the whole log to each other – just check they’re identical. The trick is to do this verification efficiently.

Luckily we have a way to do that: Merkle Trees. These allow us to summarise the log with a short chunk of binary (the “root”). If we both get the same root, then we both have the same log. What’s more, they also allow an efficient proof that any particular item is in the log – given the item, the log can show a chain of hashes leading to the root. This chain proves that the item actually is in the log summarised by the root.

What’s more, with only a bit more cunningness, we can also efficiently show that any version of the log (with more data appended) contains any prior version. In other words, we can show that the log never deletes anything, but only grows by adding new things at the end.

Got it? To reiterate: it is possible to create a log that can demonstrate that everyone sees the same version, and that as it grows, everyone continues to see the same data added to it. What’s more, these things can be done efficiently[1].

Now we have that piece of machinery, how do we use it to solve the “Cryptocat problem”? Simple: every time Cryptocat does a new release, it pushes a copy of the source into the verifiable log. Every time you download Cryptocat, you verify that the version you are given is in the public log, and refuse to run it if not. And we’re done.

If Cryptocat ever decides to release a version that, say, reveals your keys, or decrypts your chats for a third party, then that version is on display for all to see. Cryptocat will get caught – and likely caught quite quickly. If Cryptocat tries to avoid this publication, then you won’t run it, so you’ll be safe.

Admittedly this does not actually _prevent_ Cryptocat from shafting you, but it does mean it is very unlikely to get away with it, and having done it once, it will probably not get the chance to do it to anyone again…

Note that it doesn’t matter if the author of Cryptocat is the one who made the change, or someone who hacked his site, or a man-in-the-middle. If they do not publish source, then you won’t run it. And if they do publish source, they get caught.

Incidentally, I originally proposed publicly verifiable logs for fixing PKI but they have many uses. Also, for Certificate Transparency, we are implementing a publicly verifiable log. I would be very happy to help with a version for logging software instead of certificates.

[1] To get an idea of what I mean by “efficiently” a proof that two log versions are consistent or that a particular item is in a particular log version consists of log_2(n) hashes, where n is the number of items in the log. So, for a log with a billion items, this proof would have around 30 entries, each, say, 32 bytes long. So, it takes me less than 1 kB for a proof about a log with a billion entries. How about a trillion? Just ten more entries, i.e. under 1,300 bytes.

In a nutshell, a new certificate is sent to the log, which immediately returns a signed hash of the certificate, indicating that the cert will be included in the log. It is required to actually appear in the log before a certain amount of time has passed. Other than that, everything proceeds along the same lines as before, though there are many detailed changes.